Max Login Attempts is a security feature of QUIC.cloud CDN. It works by displaying a reCAPTCHA after a certain number of login attempts from a single IP address. When the maximum number of attempts is reached, the visitor is presented with a reCAPTCHA challenge. After 5 minutes of inactivity, the login attempts are reset.
There are numerous bad actors on the internet whose goal is to forcefully gain unauthorized access to WordPress websites. Max Login Attempts prevents malicious bots and hackers from making repeated failed login attempts on your site’s login URL. It also helps to mitigate DDoS attacks and enhances the security of multi-user WordPress and WooCommerce websites.
Enable Max Login Attempts
To find the Max Login Attempts feature, log in to your QUIC.cloud Dashboard at my.quic.cloud. Click a domain name on the My Domains tab and click CDN to access the CDN Details page.
Navigate to CDN Config > Security. Max Login Attempts is found on the Anti DDoS sub section below the Connection Limit setting.
By default, when you add a domain to QUIC.cloud, Max Login Attempts will automatically be set to 10, and the reCAPTCHA & WP Brute Force Defense setting will be enabled, and so you should not need to do anything.
To change the number of Max Login Attempts, first verify reCAPTCHA & WP Brute Force Defense is set to ON. Then, set Max Login Attempts to the maximum number of login attempts a single visitor IP address is permitted before that IP address is required to solve a reCAPTCHA challenge. If you would like a reCAPTCHA challenge to be displayed on every WP-Admin login attempt, you can set Max Login Attempts to a value of 0.
How it Works
Let’s assume that the default settings are active. Here’s what happens:
- A user visits the WordPress site’s WP-Admin login page and attempts to log in.
- If the login is successful, the user is granted access to the WP-Admin backend for the site.
- If the login is unsuccessful, QUIC.cloud starts a failed login attempts counter, and WordPress displays the error message:
Error: The password you entered for the username [example] is incorrect. Lost your password?
- The user can try to log in nine more times. If they are successful, during any of these attempts, they will be granted access. For each unsuccessful attempt, the counter will be increased. After ten attempts with faulty credentials, the limit is reached.
- QUIC.cloud redirects the user from the login page to a reCAPTCHA challenge. The user will be required to solve a logical problem, such as selecting a certain number of buses or bridges from a list of randomized images. Bots generally cannot solve such a challenge.
- The reCAPTCHA page is closed only after the user makes a selection and clicks the VERIFY button. If verification fails, or the user tries to dismiss the reCAPTCHA by reloading the page, a reCAPTCHA will be displayed again on the next login attempt.
- After five minutes of inactivity, QUIC.cloud will clear the attempt counter.
Can You Hide Your Login URL?
This feature is not compatible with plugins such as WPS Hide Login. Why? A hide login URL plugin changes the standard WordPress login URL location and may further customize the standard login procedure. Max Login Attempts relies on these standards in order to monitor login activity.
Please contact technical support should you have further questions or concerns regarding using a hide login URL plugin with this security feature.
Conclusion
The Max Login Attempts security feature is a valuable tool for safeguarding your WordPress website. By limiting the number of login attempts allowed from a single IP address, and requiring a reCAPTCHA challenge after exceeding the limit, it helps to deter brute-force attacks and unauthorized access attempts by malicious bots. This enhances the overall security of your WordPress or WooCommerce website.
[Editor’s Note: This article was written by Philani Gumbo.]
